[33733] in bugtraq
Re: iDEFENSESecurityAdvisory02.10.04: XFree86FontInformationFileBufferOverflow
daemon@ATHENA.MIT.EDU (Dr Andrew C Aitchison)
Mon Feb 16 13:24:05 2004
Date: Sat, 14 Feb 2004 08:58:09 +0000 (GMT)
From: Dr Andrew C Aitchison <A.C.Aitchison@dpmms.cam.ac.uk>
To: iDefense Labs <labs@iDefense.com>
Cc: bugs@securitytracker.com, <bugtraq@securityfocus.com>
In-Reply-To: <FB24803D1DF2A34FA59FC157B77C970501A746BA@idserv04.idef.com>
Message-ID: <Pine.LNX.4.44.0402140847240.3038-100000@harrier.dpmms.cam.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 10 Feb 2004, iDefense Labs wrote:
> - - - From XFree86-4.2.1/xc/lib/font/fontfile/dirfile.c:
>
> ReadFontAlias(char *directory, Bool isFile, FontDirectoryPtr *pdir)
> {
> char alias[MAXFONTNAMELEN];
> switch (token) {
> case NAME:
> strcpy(alias, lexToken);
>
> If lexToken is longer than MAXFONTNAMELEN (1024 chars) an overflow
> occurs.
I note that this code also ocurs in Xvnc,
and that ReadFontAlias is essentially unchanged in XFree86 CVS since
version 1.1, which has the CVS id string
/* $XConsortium: dirfile.c,v 1.11 94/04/17 20:17:01 gildea Exp $ */
I would expect that X servers from many vendors have the same
vunerablility.
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison@dpmms.cam.ac.uk http://www.dpmms.cam.ac.uk/~werdna
